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Abstract 

We study the problem of determining the probability that m vectors 
selected uniformly at random from the intersection of the full-rank lattice 
L in R™ and the window [0, B) n generate L when B is chosen to be 
appropriately large. This problem plays an important role in the analysis 
of the success probability of quantum algorithms for solving the Discrete 
Logarithm Problem in infrastructures obtained from number fields and 
also for computing fundamental units of number fields. 

We provide the first complete and rigorous proof that 2n + 1 vectors 
suffice to generate L with constant probability (provided that B is chosen 
to be sufficiently large in terms of n and the covering radius of L and 
the last n + 1 vectors are sampled from a slightly larger window). Based 
on extensive computer simulations, we conjecture that only n + 1 vectors 
sampled from one window suffice to generate L with constant success 
probability. If this conjecture is true, then a significantly better success 
probability of the above quantum algorithms can be guaranteed. 

1 Introduction 

The Discrete Logarithm Problem (DLP) is a mathematical primitive on which 
many public-key cryptosystems are based. Examples of groups in which the 
DLP is considered include the multiplicative group of ¥ q |MvOV97] , the group 
of F g -rational points of an elliptic curve [CFA+06] , more generally the divisor 
class group of an algebraic curve, or the ideal class group or infrastructure of an 
algebraic number field [Buc91i TSBW94] . For most of these groups, subexponen- 
tial algorithms exist which can solve the DLP. It is only in the case of low genus 
curves that many instances were found for which only exponential algorithms 
are known on classical computers. For almost all instances, no polynomial time 
algorithms are known on classical computers. 
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In contrast, on quantum computers, polynomial time algorithms are known 
which solve these DLPs [SW11I ICM01I IHal051 IHal02l ISV051 ISch07] . Assuming 
large enough quantum computers can be built, cryptosystems based on the DLP 
do not remain secure. 

Even though all these quantum algorithms are polynomial time algorithms, 
some of them are much more efficient than others. In particular, the algorithms 
for solving the DLP in the infrastructure of a number field of unit rank > 2 seem 
to have the worst performance of all of them |FW12) . The main problem is that 
the involved lattice is not discrete anymore, as in the other cases where one 
essentially has finite abclian groups. In the infrastructure of a number field, one 
works in a torus T = R"/A, where A is a lattice of full rank in R™ |Fonllj . The 
coefficients of all non-trivial vectors of A are transcendental numbers, whence 
one has to work with approximations. 

Solving the DLP can be reformulated as a lattice problem. The task is to 
find a basis of a lattice A' C R n + , where vectors with a non-zero entry in the 
last component yield the desired solution of the DLP. 

To find a basis of A', the quantum algorithm has a mechanism which, with 
a certain probability p\ > 0, outputs an essentially uniformly distributed vec- 
tor A* e (A')* n [0,B) n+1 , where (A')* is the dual lattice of A' and B > is 
sufficiently large. If one has A*, . . . , A£, with (A')* = (A*, . . . , A* n ) z , one can 
compute a basis of (A')* from these vectors and then use linear algebra to re- 
trieve a basis of A' itself. 

To compute the success probability of the algorithm, one has to consider the 
probability that the m sampled vectors are actually in (A')*, and the probability 
that m random vectors from (A')* n [0,B) n+1 generate (A')*. If the latter 
probability is p2 , then the overall success probability is p™p2 , and one expects 
that one has to run the algorithm w (p" l P2)~ 1 times before it outputs a basis 
of (A')* and thus of A' itself. (Note that it is possible to check in polynomial 
time whether the vectors which are supposed to be a basis of A' are actually 
elements of A'. However, it is computationally much more expensive to check 
whether they form a basis; no polynomial-time algorithms for checking this are 
known.) 

The main problem is that for n > 1, the lower bound one can prove for pi 
is quite small. In fact, it seems unavoidable that p\ is bounded away from 1 
by a nonzero constant. In [FW12 we have explicitly specified the lower bounds 
on the overall success probability that can be proved rigorously. Already, for 
n — 2, the currently known rigorous lower bound is so small that the algorithm 
would not have any practical relevance even if large enough quantum computers 
can be built unless the actual success probability is significantly larger. 

Therefore, it is vital to improve the analysis of the success probability. The 
most important step toward proving tighter bounds is to minimize the value of 
m, which is the central topic of this paper. Note that we must have m > n + 1, 
as the rank of (A')* is n+ 1. 

The purpose of this paper is twofold. First, we present a bound on p2, using 
m = 2(n + 1) + 1. For this, we need to use two different window sizes: the 
first n+ 1 vectors are sampled from a smaller window [0, B) n+1 , and the latter 
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(n + 1) + 1 vectors from a larger window [0,-Bi)™ +1 with B\ > B. To the 
best of our knowledge, this is the first explicit result for the problem described 
above. Unfortunately it is impossible to use this particular approach to prove a 
constant lower bound on the success probability for smaller values of to. This 
will be discussed in Section [2] 

The second purpose of this paper is to argue that it should be possible to 
substantially improve upon our current approach. We formulate the conjecture 
that sampling m = (n+ 1) + 1 vectors from one window suffices to generate the 
lattice with constant probability. We also identify a candidate for the proba- 
bility. This is corroborated by extensive numerical experiments. We hope that 
this conjecture will be proven rigorously in the future. This part of the paper 
is presented in Section [3] 

It is our hope that our work will provide more attention to this problem, 
and also inspire others to search for bounds for smaller values of m. 

To make this exposition more readable, we have relegated the proofs of most 
of our statements to the Appendix [5] 

2 Solving the Lattice Generation Problem 

To simplify notation, we from now on use the lattice A C R" of rank n, instead 
of the lattice (A')* C of rank n + 1. Thus we work with m = 2n + 1 

vectors. 

We solve our problem in two steps. First, we consider the probability that 
n vectors sampled uniformly at random from A generate a sublattice Ai of full 
rank, i.e. do not lie in a hyperplane. Then, we compute the probability that 
the residue classes of the next n + 1 vectors generate the finite abelian quotient 
group A/Ai. Finally, we combine these two results. 

In the following, we assume that n > 1. We discuss a result for the case 
n = 1 in Section [3] 

The idea to prove a lower bound on the probability by considering the above 
two steps was proposed by A. Schmidt in Sch07]. We present a correct proof of 
the problem arising in the first step, fixing a mistake in Schmidt's proof. Our 
approach to analyzing the problem arising in the second step is entirely different 
from the approach undertaken by Schmidt. The differences will be discussed in 
Sections O and O 

2.1 Generating a Sublattice of Full Rank 

Note that Ai, . . . , A n € A n [0, B) n generate a sublattice of full rank if and only 
if they are linearly independent over HL This is the case if Ai is not contained in 
the (i — l)-dimensional hyperplane spanned by Ai, . . . , A,_i. Thus to bound the 
probability that n uniformly random vectors from An [0, B) n generate a full rank 
sublattice, one has to bound the number of lattice elements in the intersection 
as well as the number of lattice elements lying both in the intersection and a 
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fc-dimensional hyperplane, 1 < k < n. We find such bounds using Voronoi cells; 
compare Section 1.2 of Chapter 8 in [MG02]. We obtain: 

Lemma 2.1. If B > 2v(A). Then 

(B-2v(A)) n r (B + 2v(A)) n 

y " < |An [0,B) n \ < y 



det A ~ 1 det A 

Lemma 2.2. Let B > and H be a k- dimensional hyperplane, 1 < k < n. 
Then 

n fc / 2 (B + 2z/(A)) fe (2^(A))"- fe 

A n # n p, s) < K -— — H4-^ — — — . 

1 det A 

In these lemmas, f(A) denotes the covering radius of A. Note that ^(A) < 
i n w/2+i _dstA^ ^ where Ai (A) denotes the first successive minimum of A |MG02j , 
i.e. the length of a shortest nonzero vector in A. The proofs are similar to the 
one of Proposition 8.7 in |MG02j ; for the sake of completeness, we included 
proofs in Appendix |XJ 

This allows us to find the following bound on the probability that n random 
vectors generate a sublattice of full rank: 

Corollary 2.3. Assume that B > %n n l 2 ■ v(A). Let 

X := (An [0,B) n ) n 
and Y := {(y 1 , ...,y n ) G X \ span R (j/i,.. . ,y n ) = M"}. 

Then \Y\ > ±\X\. 

Note that our lower bound is far from optimal. If one considers the value Pk 
from the proof and substitutes j by 8ro™/ 2 , one obtains the lower bound 



TtYi n^ (4n " /2 + 1)fc 
JLi\^ (4n"/ 2 -l)" 



For n — 1 this is |, and the product grows to 1 for n — > oo. For small n, the 
values are: 



Dimension n 


1 


2 


3 


4 


5 


6 


7 


Lower bound 


0.666 


0.725 


0.812 


0.859 


0.883 


0.896 


0.905 



Remark 2.4. The basic idea of the proof of this corollary is similar to the proof 
of the first part of Satz 2.4.23 in }Sch07j : we also included it in Appendix lAl 
Note that the proof in |Sch07] is not correct: the quantity ^^nB^ considered in 
the proof can be > 4; for example, consider r = 3, M = Z 3 , n > arbitrary (in 
|Sch07j . nv(M) is what we denote by 6, i.e., B = [0,ni/(M)) n ), x\ = (l,nv(M)- 
1, 0), X2 = (0, 1, nv(M) — 1), X3 = (0, 0, 1); then Mi n B contains two elements, 
while M 2 nB contains three elements. Therefore, = | > |. The problem 

is that det Mi cannot be bounded linearly in terms of v(M) and detMj_i, 
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as it was claimed in that proof; in this example, det Mi = y/1 + (n — l) 2 , 
detM2 = yl + (n — l) 2 + (n — l) 4 and v{M) = 1. In our proof, we proceed 
differently by considering the quantity p^pjgr directly, and both our bound on 
the probability and our bound on the minimal size of B is in fact better than 
the corresponding bounds given in |Sch07] . 

2.2 Generating a Finite Abelian Group 

In case Ai is a sublattice of full rank of A, the quotient group G = A/Ai is a 
finite abelian group. Its order equals the index [A : Ai], and by the Elementary 
Divisor Theorem, it can be generated by n elements. 

Proposition 2.5. Let G be a finite abelian group known to be generated by n 
elements. Then the probability that n + 1 elements drawn uniformly at random 
from G generate G is at least 

oo 

C^II^r 1 > 0.434, 

i=2 

where C, denotes the Riemann zeta function. 

For the proof of this result, which is also included in Appendix 1X1 we consider 
the decomposition of G into its Sylow subgroups. In [PomOlj it is shown that the 
probability that the p-Sylow subgroup is generated by n + 1 uniformly random 
elements is 

r n+1 

rj(i_ p -((«+i-)^)>rj(i- p -), 

i=l i=2 

where r is the p-rank of G. We know that r < n, since G is generated by 
n elements. Combining the probabilities for all p-Sylow subgroups, we obtain 
the product 

n+1 n+1 /n+1 \ — 1 

nn(i-p- i ) = nn(i-p- i ) = (nc(o) . 

V i=2 i=2 p V i=2 / 

where £ denotes the Riemann Q function and the last equality follows from its 
Euler expansion. For the decimal expansion of C, see |Seq| . 

Observe that our approach only works if we have at least n + 1 elements. If 
we chose just n elements randomly, the final product would include = 

and the probability would drop down to zero. However, a different approach can 
result in a non-zero probability for n elements. This probability will necessarily 
not be constant anymore, but has to depend on n or \G\. For example, if 
Pi, ■ ■ ■ ,Pk are distinct primes and G = Yl i=1 F™ = (Z/(pi ■ ■ -pk)Z) n , then G 
can be generated by n elements, but the probability that n random elements 
from G generates G is exactly JliLi lij=i (1 — Pi)) which goes to zero for k — » oo 
for exactly the above reasons. Hence, any non-trivial bound on the probability 
must take n or pi, . . .,Pk into account. 
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This shows that our approach will not work with fewer than 2n+ 1 elements, 
if the desired bound on the probability should be independent of n. 

2.3 The Final Result 

Assume that the first n sampled vectors from A n [0, B) n generate a sublat- 
tice Ai of full rank. Then G = A/Ai is a finite abelian group which can be 
generated by n elements. Thus if we sample n + 1 elements A + Ai from G in 
a uniform random manner, we can bound the probability that they generate 
G. In case G = (A„ +1 + A l5 . . . , A 2 „+i + Ai) and Ax = (Ax, • • • , A„), we have 
A = (Ax, . . . , A„, A„+x, ■ • ■ , A2n+i)- 

The main problem is that we cannot directly sample uniformly at random 
from G: if we choose A £ A n [0, B) n uniformly at random, then A + Ax will 
in general not be uniformly distributed in G = A/ Ax. By enlarging the win- 
dow [0,B) n to [0,£>x)™ with B\ > B large enough, we ensure that the residue 
classes of the samples A € An [0, B\) n are essentially distributed uniformly at 
random in G. More precisely, we can show that the statistical distance between 
the distribution and the perfectly uniform distribution is small enough. This is 
established by the following result whose proof can be found on page 1151 

Lemma 2.6. Let Ax be an arbitrary full-rank sublattice of A. Assume that 
B\ > 2z/(Ax) and we can sample uniformly at random from An [0, B\) n . Denote 
the sample by A. Then, A + Ax is distributed almost uniformly at random over 
the quotient group A/Ax. More precisely, the total variation distance between 
the uniform distribution over A/ Ax and the distribution of A + A 1; where A € 
AD [0,i?x) n is uniformly distributed, is at most 

(gi - 2KAx))» 
{Bi+2v(k)) n ■ 

Combining the lemma and Proposition 12.51 and using the additivity of the 
total variation distance under composition provided that the components are 
independent, we obtain the following result: 

Corollary 2.7. Assume that B > 8rW 2 • v(A) and B 1 > 8n 2 (n + \)B. Let Y 
be as in Corollary \2.S\ and (yi, . . . , y n ) € Y . Let 

X 1 := (An[0,£?i) n )" +1 
Z = {(z 1 ,...,z n+1 ) E X[ l+1 | span z {yx,--.,2M,zi,-.-,2n+i} = A}. 

Then \Z\ > (C- |)|Xl| > 0.184|Xx|. 

A proof of this result can be found on page [16] Combining this corollary 
with Corollary I2.3[ we obtain our main result: 

Theorem 2.8. Let A be a lattice of full rank in M. n , and assume that B > 8tW 2 - 
v(A) and B\ > 8n 2 (n + 1)B. Assume that n vectors are selected uniformly at 
random from An[0, B) n andn+1 vectors uniformly at random from An[0, B\) n . 
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If the vectors were sampled independently, then the probability that all these 
vectors generate A is at least 

f(C-|) > 0.092. 

This theorem is similar to Satz 2.4.23 in |Sch07| . We emphasize that our 
bound on the success probability is constant, whereas the bound presented in 
Satz 2.4.23 decreases exponentially fast with the dimension n. The first part 
of proof of Satz 2.4.23 (concerning the generation of a full-rank sublattice) is 
unfortunately not correct, but can be corrected as we have shown in our proof 
of Corollary 12.31 The idea behind the second part is completely different from 
our proof and cannot be used to prove a constant success probability. Perhaps 
it could be used to prove that only 2n random elements (as opposed to 2n + 1 
elements) are needed to guarantee a non-zero success probability. 

Note that for a fixed dimension n, one obtains bounds larger than 0.092. 
The proofs of the above results yield a lower bound on the success probability 

i=2 ' fe=0 V V ' 7 

For n = 2, 3, 4 and 5, this is larger than 0.238, 0.185, 0.176, 0.172 and 0.170, 
respectively. 



3 A Conjecture 

Let be any basis of the lattice A. Consider the natural isomorphism 

$ : E™ — >• W 1 mapping the i-th standard unit vector a to b t . Then $(Z") = A. 
Let 

f ™ 

X:=r 1 ([o,B)")= ( ail ...,a n )er J2 a ^ e [°< B )" 

this is a parallelepiped in R™ of volume -A A having as a vertex. If we assume 
that the basis bi, . . . ,b n is reduced, then this parallelepiped is not too skewed. 

Now let v%, . . . , v m £ A be vectors, m > n, and consider t)j := ^~ 1 (vi) £ 1 n 
for i = 1, . . . ,m. We have that (m, . . . , v m ) — A if and only if (vi, . . . , v m ) = Z", 
and this is the case if and only if the matrix (vi, . . . , v m ) £ Z, nxm is unimodular. 

Therefore, the probability that m > n vectors selected uniformly at random 
in A n [0, B) n generate A equals the probability that an n x m integer matrix 
whose columns are chosen uniformly at random in X is unimodular. 

For X = [-B, B] n , G. Maze, J. Rosenthal and U. Wagner showed in jMRWllj 
that the limit of the probability for B — > oo is YTjL m -n+i C(j) -1 ~ which, 
not very surprisingly, equals the probability given in Section 12.21 This can be 
bounded from below by ( > 0.434 as soon as m > n. This implies that for a 
certain B > 0, we have that the probability is at least 0.434 for all B > B. 

Unfortunately, the proof of |MRWll] does not yield effective non-trivial 
bounds for any such B. Moreover, this result only holds for the special case 
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X = [—B,B] n , while we have to consider essentially arbitrary parallelepipeds 
with as a vertex. 

We have run computer experiments to study the probability for arbitrary 
parallelepipeds. We restricted to the case m = n + 1. For the experiments, 
we generated a random parallelepiped by choosing n vectors from [—C,C] n 
and considering the parallelepiped spanned by them. We generated 1000 such 
parallelepipeds, and for every parallelepiped we generated 10 000 integer ma- 
trices with columns taken uniformly at random from the parallelepiped. Every 
matrix was tested whether it is unimodular. We used three different bounds 
for C, namely C = 10 4 , C = 10 9 and C = 10 18 . For every combination of 
nXm = nx(n + l) and C, we computed both the average probability that an 
n x m integer matrix taken from a parallelepiped is unimodular, and the min- 
imal probability (over all parallelepipeds for given n x m and C). The results 
are shown in Tables Q] (average probabilities) and [2] (minimal probabilities) on 
page [SI They also include the "ideal" probabilities YYj=2 CO') -1 predicted for 
the special parallelepiped with B — > oo in MR Wllj . 

As one can clearly see, the average values are very close to the ideal ones. 
But also the minimal probabilities observed in the experiments were always 
close to the ideal values. In fact, the difference between minimal and maximal 
probabilities never exceeded 3.66%. If one compares these probabilities to the 
ones given at the end of Section 12. 3[ one sees that the probabilities obtained 
there are far too low. 

Based on the evidence sketched above, we conjecture: 

Conjecture 3.1. For every n G N, there exists a constant < c n < 1 and a 
rational function f n £ M.(x, y) satisfying 

Vieo > 0Vy o € (0,xj /n ] : sup{/„(x,y) | < x < x , y < y < x 1/n } < oo 

such that the following holds: 

Let A be a lattice in R™ and let B > / n (det A, Ai(A)). Then the probability 
that n + 1 vectors chosen uniformly at random from A n [0, B) n generate the 
lattice A is at least c n . 

Moreover, the constant c n can be chosen close to YYk=2 C(^) _1 • 

The conditions on / ensure that given a family of lattices where we have an 
upper bound on det A and a lower bound on Ai(A), we can find a lower bound 
on B such that the result holds for all lattices of this family. This is for example 
the case for unit lattices of number fields. There, one has a lower bound on 
Ai (A) depending only on the degree of the number field Rem32 , and an upper 
bound on dct A in terms of the degree and discriminant of the number field 
|San91j . 

The only case in which we know how to prove the conjecture is n = 1. In 
that case, we have A = vL for some real number v > 0. Given two elements 
av, bv £ An [0, B), we have that (av, bv) = vL if and only if a and b are coprimc. 
Therefore, we are interested in the probability that two random integers in 
[0, dc ^ A ) are coprime. For de ^ A — > oo, it is well-known that this probability 
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n 


C* = 10 4 


C = 10 y 


C = 10 i8 


ideal probability 


1 


60.7273% 


60.8094% 


60.8103% 


60.7927% 


2 


50.5849% 


50.5899% 


50.5649% 


50.5739% 


3 


46.7040% 


46.7257% 


46.7367% 


46.7272% 


4 


45.0382% 


45.0252% 


45.0080% 


45.0631% 


5 


44.2531% 


44.2315% 


44.2052% 


44.2949% 


6 


43.8661% 


43.8894% 


43.8740% 


43.9281% 


7 


43.6945% 


43.6773% 


43.7059% 


43.7497% 


8 


43.6003% 


43.6162% 


43.6049% 


43.6620% 


9 


43.5529% 


43.5662% 


43.5447% 


43.6187% 


10 


43.5369% 


43.5343% 


43.5332% 


43.5971% 


11 


43.5124% 


43.5463% 


43.5556% 


43.5864% 


12 


43.5314% 


43.5488% 


43.5218% 


43.5810% 


13 


43.5329% 


43.5314% 


43.5224% 


43.5784% 


14 


43.5217% 


43.5322% 


43.5679% 


43.5770% 


15 


43.5113% 


43.5273% 


43.4947% 


43.5764% 



Tabic 1: Average empirical probability that a random n x (n + 1) integer matrix 
from a random parallelepiped inside [— C, C] n is unimodular. 



n 


C* = 10 4 


C* = 10 9 


C = 10 18 


ideal probability 


1 


58.98% 


59.17% 


59.31% 


60.7927% 


2 


49.03% 


48.91% 


49.17% 


50.5739% 


3 


45.16% 


44.96% 


45.34% 


46.7272% 


4 


43.09% 


43.31% 


43.60% 


45.0631% 


5 


42.39% 


42.61% 


42.61% 


44.2949% 


6 


42.27% 


42.06% 


42.06% 


43.9281% 


7 


42.24% 


42.37% 


41.72% 


43.7497% 


8 


41.99% 


42.17% 


41.83% 


43.6620% 


9 


42.18% 


42.14% 


41.78% 


43.6187% 


10 


42.14% 


42.02% 


42.14% 


43.5971% 


11 


41.94% 


41.97% 


42.09% 


43.5864% 


12 


41.86% 


41.81% 


42.09% 


43.5810% 


13 


41.98% 


42.12% 


42.05% 


43.5784% 


14 


41.65% 


42.10% 


42.06% 


43.5770% 


15 


41.99% 


42.00% 


42.13% 


43.5764% 



Table 2: Minimal empirical probability that a random n x (n+ 1) integer matrix 
from a random parallelepiped inside [— C, C] n is unimodular. 
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goes to C(2) _1 — ~ 0.607927. One can easily make this more precise, 
for example by using the computations from [LchOO and additional computer 
computations for n < 1000: 

Proposition 3.2. Let n > 1 be a natural number and 

_ \{(x,y) e N 2 | < x,y < n, gcd(z,y) = l}\ 
[n + l) 2 

Then 

Pn > H > 0.5909 
with equality in the first inequality if and only if n = 10. 

The proof can be found in Appendix El on page !16l Therefore, the conjecture 
is true for n — 1 with c\ = if and fi(x, y) — x. 

Finally, note that in case n — m, the result in MRW11 shows that one 
expects that the only lower bound one can give is 0. We have run a few exper- 
iments here as well, and already for C = 10 , not a single unimodular matrix 
was found during the experiments. 



4 Conclusions 

We have shown the following result: 

Theorem 4.1. Let A be a lattice of full rank in M. n , and assume that B > 
8n"/ 2 -i/(A) andBi > 8n 2 {n+l)B. Ifn vectors are selected uniformly at random 
from A n [0, B) n and n + 1 vectors uniformly at random from A D [0, B\) n , then 
the probability that all these vectors generate A is at least 

i(C-i) > 0.092. 

This result allows us to obtain lower bounds on the success probability of 
a quantum algorithm for computing units of a number field K, or for solving 
the Discrete Logarithm Problem in the infrastructure of a number field K. The 
resulting lower bound is of the form Pi ■ P2 > 0, where n — Q([K : Q]) is 
essentially the unit rank of K. 

As mentioned in Section 12. 2[ the approach of first selecting n elements to 
create a sublattice Ai of full rank, and then n + 1 elements from A/Ai, requires 
at least 2n + 1 elements. 

Finally, we conjecture that our result can be improved upon: choosing n+1 
vectors using one window size should suffice. The lower bound on the probability 
in this case should be close to JlS CO)" 1 > 0.434. 

Acknowledges PW. gratefully acknowledges the support from the NSF grant 
CCF-0726771 and the NSF CAREER Award CCF-0746600. P.W. would also 
like to thank Joachim Rosenthal and his group members for their hospitality 



10 



during his visit at the Institute of Mathematics, University of Zurich. F.F. 
gratefully acknowledges partial support form the SNF grant No. 132256. Both 
authors would like to thank A. Schmidt for pointing out an error in an earlier 
preprint. 



References 

[Bar] A. Barvinok. Math669: Combinatorics, ge- 

ometry and complexity of integer points, 
http : //www. math. lsa.umich. edu/~barvinok/latticenotes669 .pdf 

[Buc91] J. A. Buchmann. Number theoretic algorithms and cryptology. In 
FCT '91: Proceedings of the 8th International Symposium on Fun- 
damentals of Computation Theory, pages 16-21, London, UK, 1991. 
Springer- Verlag. 

[CFA+06] H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, and 
F. Vercauteren, editors. Handbook of elliptic and hyperelliptic curve 
cryptography. Discrete Mathematics and its Applications (Boca Ra- 
ton). Chapman & Hall/CRC, Boca Raton, FL, 2006. 

[CM01] K. K. H. Cheung and M. Mosca. Decomposing finite abelian groups. 
Quantum Information & Computation, l(3):26-32, 2001. 

[Fonll] F. Fontein. The infrastructure of a global held of arbitrary unit rank. 
Math. Comp., 80(276):2325-2357, 2011. 

[FW12] F. Fontein and P. Wocjan. Quantum algorithm for 

computing the period lattice of an infrastructure. 
http://arxiv.org/abs/llll.1348, 2012. 

[Hal02] S. Hallgren. Polynomial-time quantum algorithms for Pell's equation 
and the principal ideal problem. In Proceedings of the Thirty-Fourth 
Annual ACM Symposium on Theory of Computing, pages 653-658 
(electronic), New York, 2002. ACM. 

[Hal05] S. Hallgren. Fast quantum algorithms for computing the unit group 
and class group of a number field. In STOC05: Proceedings of 
the 37th Annual ACM Symposium on Theory of Computing, pages 
468-474. ACM, New York, 2005. 

[LehOO] Derrick Norman Lehmer. Asymptotic Evaluation of Certain Totient 
Sums. Amer. J. Math., 22(4):293-335, 1900. 

[MG02] D. Micciancio and S. Goldwasser. Complexity of lattice problems. 

The Kluwer International Series in Engineering and Computer Sci- 
ence, 671. Kluwer Academic Publishers, Boston, MA, 2002. A cryp- 
tographic perspective. 



11 



[MRW11] Gerard Maze, Joachim Rosenthal, and Urs Wagner. Natural density 
of rectangular unimodular integer matrices, 2011. 

[MvOV97] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook 
of applied cryptography. CRC Press Series on Discrete Mathematics 
and its Applications. CRC Press, Boca Raton, FL, 1997. With a 
foreword by Ronald L. Rivest. 

[PomOl] C. Pomerance. The expected number of random elements to gener- 
ate a finite abelian group. Periodica Mathematica Hungarica, 43(1- 
2):191-198, 2001. 

[Rem32] R. Remak. Uber die Abschatzung des absoluten Betrages des Regu- 
lators eines algebraischen Zahlkorpers nach unten. J. Reine Angew. 
Math., 167:360-378, 1932. 

[San91] J. W. Sands. Generalization of a theorem of Siegel. Acta Arith., 
58(l):47-57, 1991. 

[SBW94] R. Scheidler, J. A. Buchmann, and H. C. Williams. A key-exchange 
protocol using real quadratic fields. J. Cryptology, 7(3):171-199, 
1994. 

[Sch07] A. Schmidt. Zur Losung von zahlentheoretischen Problemen rait 
klassischen und Quantencomputern. Ph.D. thesis, Tcchnische Uni- 
versitat Darmstadt, 2007. 

[Seq] Integer sequence A021002. The on-line encyclopedia of integer se- 

quence |http://oeis . org/A021002 

[SV05] A. Schmidt and U. Vollmer. Polynomial time quantum algorithm 
for the computation of the unit group of a number field (extended 
abstract). In STOC'05: Proceedings of the 37th Annual ACM Sym- 
posium on Theory of Computing, pages 475-480. ACM, New York, 
2005. 

[SW11] P. Sarvepalli and P. Wocjan. Quantum algorithms for one- 
dimensional infrastructures, http://arxiv.org/abs/1106.6347, 
2011. 



A Proofs from Section [2] 

Let A be a lattice in K™ of full rank. For A G A, let 

V A (X) = {xe R n | VA' e A \ {A} : \\x - A|| 2 < \\x - \'\\ 2 } 

be its (open) Voronoi cell. We know that Va(A) is contained in an open ball 
of radius i^(A) centered around A, where ^(A) is the covering radius of A, and 
that t he vol ume of Va(A) is det A. Moreove r, if A ^ A', V\{\) n Va(A') = 0, and 
UagA v a( A ) = Rn - Details can be found in [MG02| Chapter 8]. 
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Proof of Lemma\MJi If A G A satisfies V A (X) n [v{K),B - u{A)) n ^ 0, then we 
must have A G [0,S) n . Therefore, (B - 2^(A))"/det A < |An [0,B)"|. 

If AG An[0,B) n , then we must have Va(A) C [-v(A), B+v(A)) n . Therefore, 
|An [Q,B) n \ < (B + 2i/(A)) n /dctA. □ 

Proof of LemmaKE Let A G An H n [0, B) n . Then V\(X) C X := [-i/(A),B + 
i^(A)) n n(-ff+Bj / (A)(0)), where B„(a)(0) is a ball of radius i^(A) centered around 0. 
Therefore, |An iJ n [0,B) n \ < vol(A)/det A, and we have to estimate vol(A). 

Clearly, if volk(Y) denotes the fc-dimensional volume of Y := Hr\[—i/(A), B+ 
u(A)) n , we have that vol(X) < vol k (Y) • (2v(A)) n ~ k . (In fact, we can replace 
(2v(A)) n ~ k by the volume of an (n — fc)-dimensional ball of radius f(A).) 

Let bi, . . . ,bk be an orthonormal basis of H . Set T := {{x\, . . . , x^) G K fc | 

TLinabi g + K A ))"}; the n voi(r) = voi fe (Y). A point y e y 

corresponds to ((y,bi),...,(y,b k )) G T. Write 6, = (6a, . . . , 6i„) and y = 
(yi,...,y„) G [-i/(A),B+i/(A)) n ,seti4y := B+u(A) iffty >0andA y := i/(A) 
if 6y < 0. Then 

71 n n 



implying that (y, bi) ranges over an interval of length ||6j|| 1 (B+2i/(A)) < y/n(B+ 
2i/(A)). Therefore, 

vol(T) < n k ' 2 (B + 2v(A)) k . □ 



Proof of Corollary \2.3\ Assume that yi,.,.,yf. G X are linearly independent, 
< k < n. We have to bound the probability from above that yu+i G X is not 
contained in the hyperplane generated by y\, . . . ,y k , which is of dimension k. 
Write B = j ■ v(A) with j > 8n™ /2 . By Lemmas [231 and |2~^ the probability 
that yk+i is in a fc-dimensional hyperplane is bounded from above by 



_ n k / 2 {B + 2v{A)) k {2v{A)) n - k dctA _ k/2 {j + 2) k 2 

± k ■ ; : ; ' ~T~. ~ 7TTT - 71 



knn — k 



detA (B-2^(A)) n (i-2)« 

The success probability is bounded from below by n^=o(^ ~ Pk)- Using induc- 
tion on n, we can prove that 

n — 1 n— 1 

\[{i-p k )>i-Y, p k- 

k=0 k=0 
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The sum X)fc=o Pk can be bounded from above as follows: 
n-i 



2" ^v >c? + 2; 

(i - 2)™ ^ I 2 



2" 



< 



(i - 2)" 

2™ 

(i - 2)" V 



^(j+2) 



/Vn(j + 2)V 



,n/2 



1 



J -2 



Now (1 + < exp(^) < exp( gn „ /2 4 1 _ 2/ J < 2 for all n > 1 and ^(j 

2)/2 - 1 > j/2, whence 



F fe < 2n™/ 2 • - < 



An 71 ' 2 1 



8n n/2 



□ 



Proof of Proposition ^. 51 Let pi, . . . ,pk be the prime divisors of |G|, and let G^ 
be the p^-Sylow subgroup of G. Then G = Gi © • • • © Gk- Let (gi, ... , <m+i) G 
G n+1 be n+l elements of G; then we can write gi — (gn, . . . , gik) G G\ X • • -xGfc. 
Now 

G = (ffi, ■ ■ • ,5„+i) Vj : Gj = {g xj , . . .,g n+ljj ). 

Hence, it suffices to bound the probability for abelian p-groups. 

In the proof of the theorem in [PomOl] , it is shown that the probability that 
n+1 elements in an abelian p-group of p-rank r generate the group is 



n+l 



-((n+l-j-)+i) 



)>na-^)- 



We know that r < n, since G is generated by n elements. 

Therefore, the probability that n elements of an arbitrary finite abelian 
group G which can be generated by n elements generate the group is at least 



n+l 



n+l 



niia 

p i=2 



p" < )=nn( i -f" < ) = (n^) 

i=2 p M=2 



n+l 



using the Eulcr product representation of the Riemann zeta function. Now 

n+l oo 



ncw<n^ < )=r i . 



i=2 



i=2 



The product Jli=2 C(*) i s well-known in group theory |Seq| . 



□ 
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Proo f of Lem maUnH First note th at Va^ Ai) = Ai + Va^O) and V\i(M) 
A, + y Al (0). Now, as Ua 1 gA 1 ( A i + Va.i( )) = M" and two translates of V Al (0) 



by different elements of Ai do not intersect, there exists a set V with V\ 1 (0) C 

and VAi e Ai \ {0} : (Ai + V) n V = 0. 



V C Vai (0) satisfying 



U (Ai 

AiGAi 

Note that vol(V) = vol^A^O)) = detAi. 

Every translate of V contains the same number of elements from A, and 
|Vn A | equals 

to = dct Ai / det A; 

this can be shown using asymptotic arguments similarly to the proof that any 
elementary parallelepiped of Ai contains exactly to elements of A (see e.g. [Bar ). 
For every Ai € A, the vectors A — Ai, AG Afl7 form a transversal for A/Ai. 
As V C _Bj,( Al )(0), there are at least 

t (B 1 - 2v(Ai)) n 



det Ai 

translates of V that are contained inside the window [Q,Bi) n . 
There are at most 

(Bi + 2i/(A)) n 

u p = ; — : 

det A 

points of A inside [0, B{\ n . 

Then G? max — [up — mly \ is the maximal possible deviation in the number 
of points of A inside [0, Bi] n from the lower bound mly. Let dg {0, . . . , d maK } 
be the actual deviation. 

Ideally, we would have the uniform distribution pj = 1/to on A/Ai. But we 
only have the almost uniform distribution which necessarily has the form 



Pj 



, to, where d±, . . . , d m are integers with < dj < d and Y^jLi dj 



for j = 1 

d. The total variation distance can be bounded as follows 



^ m 



Pi I 



We have 



< 



< 



-. m 

It 



3 = 1 



1 

m 



d,: 



mly 

1 d + mdj 



— F 

2to ^ 



3=1 



d — md,- 



m£y + d 



2to ^— ' mly 

3 = 1 



< 



mly + d 
Up — mly 



mly + d max Wl^V + U p — mly 

1 (i?! - 2KAi))" 



mil 



Up 



Up 



(Bi + 2i/(A))* 
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Note that so far, we have considered [0,-Bi]™ instead of [0,Bi) n . As A is 
discrete, there exists some 2i/(A x ) < B[ < B x with [0,B[} n n A = [0,B 1 ) n . 
Applying the result above to [0, B[) n and then using that x i-> 1 — ^+2v(A)) n 
is increasing yields the stated claim for [0, B\) n . □ 



Proof of Cor pilar y \2.7\ Let Ai be the full-rank sublattice generated by j/i, . . . , y n . 
We have the following simple bound on the covering radius 

v(Ai) < Y A »( A i) ^ Viiw Ma " 2 ^ = ~2~ 

since the yt are linearly independent and every vector in [0, B) n is shorter than 
y/nB. Moreover, v(Ai) > z/(A). 

Let 2j be uniformly distributed in Ad [0,Bi) n . Then, Lemma [2.61 implies 
that Zi + Ai (for i = n + 1, . . . , 2n + 1) are distributed almost uniformly at 
random from A/Ai. The total variation distance from the uniform distribution 
is bounded from above as follows: 

i (gi - MAiXP < 1 Cgjz 2 ^( A i))" _ ! A MAi) 



(B 1 + 2v(A)) n ~ (B 1 + 2v(A 1 )) n \ B 1 + 2v{A 

. ,_n_ n MAP \ < MM < ^g < i 



Si + 2i/(Ai)y- ^ - fli ~4(n + l) 

Consider now the uniform probability distribution on the (n + l)-fold direct 
product of A/Ai and the probability distribution that arises from sampling 
almost uniformly at random on each of the components as above. Then the 
total variation between these two distributions is bounded from above by (n + 
1) • a i tit = \- This is because the total variation distance is subadditive under 

> 4(71+1) 4 

composition provided that the components are independent (see e.g. [MG02, 
Subsection 1.3 "Statistical distance" in Chapter 8] for more information on the 
total variation distance). 

Clearly, the abelian group Aj A\ can be generated with only n generators. 
Hence, Proposition 12.51 implies that n+1 samples (provided that they are dis- 
tributed uniformly at random over the group) form a generating set with prob- 
ability greater or equal to £. Due to the deviation from the uniform distribution 
on the (n + l)-fold direct product of A/Ai this probability may decrease. How- 
ever it is at least £ — 1/4 since the total variation distance is at most 1/4. The 
claim follows now by translating the lower bound on the probability to a lower 
bound on the fraction of elements with the desired property. □ 



Proof of Proposition \3.2i For n > 1, let 

A(n) := \{(x,y) e N 2 | < x,y < n, gcd{x,y) = 1}\ 

Clearly, p n = ^j"^ and A(n) = 2^[Li <P( k ) + l , where 

4>{k) = \{x €N | < x < k, gcd(x,fc) = 1}| 
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is Euler's totient function. Now in |Leh00l Theorem IV and proof], it is proven 
that 

n g i " 1 7i 2 1 

^ = T ' 7721 + A(n) ' where |A(n)l -"El + T'" 
fc=i ^ ' fe=i 

and C is the Riemann £ function. Now 5TJfe=i \ ^H/, - (k=l + logn, 
whence 

|A(n)| < n(l + logn) + ^n = |n + nlogn. 



This together with £(2) = ^- shows that 



l + 2Efc=i^( fc ) > l + 2(4rn 2 -|n- nlogn) 



(n + 1) 2 " (n + 1) 2 

6 n 2 n log n 3n 1 

= ^ ' (n + l) 2 ~ (n + l) 2 ~ 2(n + l) 2 + (n + l) 2 ' 

Using a computer program, one quickly verifies that p n > J| for all n G Z n 
[1, 1000], with equality if and only if n = 10. For n > no := 1000, the above 
inequality yields 



-> A n o n o lo S "o _ 3rt ^ 

/ '" > ^ ' (n + l) 2 (n + l) 2 2(n + l) 2 22 ' 
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